From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Neil Horman <nhorman@tuxdriver.com>,
Vlad Yasevich <vyasevich@gmail.com>,
"David S. Miller" <davem@davemloft.net>, Willy Tarreau <w@1wt.eu>
Subject: [ 013/143] sctp: Use correct sideffect command in duplicate cookie handling
Date: Mon, 12 May 2014 02:32:13 +0200 [thread overview]
Message-ID: <20140512003201.177421105@1wt.eu> (raw)
In-Reply-To: <f07e5fe6d87f172fc73580b9c86ba9a2@local>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Yasevich <vyasevich@gmail.com>
commit f2815633504b442ca0b0605c16bf3d88a3a0fcea upstream
When SCTP is done processing a duplicate cookie chunk, it tries
to delete a newly created association. For that, it has to set
the right association for the side-effect processing to work.
However, when it uses the SCTP_CMD_NEW_ASOC command, that performs
more work then really needed (like hashing the associationa and
assigning it an id) and there is no point to do that only to
delete the association as a next step. In fact, it also creates
an impossible condition where an association may be found by
the getsockopt() call, and that association is empty. This
causes a crash in some sctp getsockopts.
The solution is rather simple. We simply use SCTP_CMD_SET_ASOC
command that doesn't have all the overhead and does exactly
what we need.
Reported-by: Karl Heiss <kheiss@gmail.com>
Tested-by: Karl Heiss <kheiss@gmail.com>
CC: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
net/sctp/sm_statefuns.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 9e4e846..486df56 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2045,7 +2045,7 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
}
/* Delete the tempory new association. */
- sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
/* Restore association pointer to provide SCTP command interpeter
--
1.7.12.2.21.g234cd45.dirty
next prev parent reply other threads:[~2014-05-12 0:32 UTC|newest]
Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f07e5fe6d87f172fc73580b9c86ba9a2@local>
2014-05-12 0:32 ` [ 000/143] 2.6.32.62-longterm review Willy Tarreau
2014-05-12 0:32 ` [ 001/143] scsi: fix missing include linux/types.h in scsi_netlink.h Willy Tarreau
2014-05-12 0:32 ` [ 002/143] Fix lockup related to stop_machine being stuck in __do_softirq Willy Tarreau
2014-05-12 0:32 ` [ 003/143] Revert "x86, ptrace: fix build breakage with gcc 4.7" Willy Tarreau
2014-05-12 0:32 ` [ 004/143] x86, ptrace: fix build breakage with gcc 4.7 (second try) Willy Tarreau
2014-05-12 0:32 ` [ 005/143] ipvs: fix CHECKSUM_PARTIAL for TCP, UDP Willy Tarreau
2014-05-12 0:32 ` [ 006/143] intel-iommu: Flush unmaps at domain_exit Willy Tarreau
2014-05-12 0:32 ` [ 007/143] staging: comedi: ni_65xx: (bug fix) confine insn_bits to one Willy Tarreau
2014-05-12 0:32 ` [ 008/143] kernel/kmod.c: check for NULL in call_usermodehelper_exec() Willy Tarreau
2014-05-12 0:32 ` [ 009/143] cciss: fix info leak in cciss_ioctl32_passthru() Willy Tarreau
2014-05-12 0:32 ` [ 010/143] cpqarray: fix info leak in ida_locked_ioctl() Willy Tarreau
2014-05-12 0:32 ` [ 011/143] drivers/cdrom/cdrom.c: use kzalloc() for failing hardware Willy Tarreau
2014-05-12 0:32 ` [ 012/143] sctp: deal with multiple COOKIE_ECHO chunks Willy Tarreau
2014-05-12 0:32 ` Willy Tarreau [this message]
2014-05-12 0:32 ` [ 014/143] ipv6: ip6_sk_dst_check() must not assume ipv6 dst Willy Tarreau
2014-05-12 0:32 ` [ 015/143] af_key: fix info leaks in notify messages Willy Tarreau
2014-05-12 0:32 ` [ 016/143] af_key: initialize satype in key_notify_policy_flush() Willy Tarreau
2014-05-12 0:32 ` [ 017/143] block: do not pass disk names as format strings Willy Tarreau
2014-05-12 0:32 ` [ 018/143] b43: stop format string leaking into error msgs Willy Tarreau
2014-05-12 0:32 ` [ 019/143] HID: validate HID report id size Willy Tarreau
2014-05-12 0:32 ` [ 020/143] HID: zeroplus: validate output report details Willy Tarreau
2014-05-12 0:32 ` [ 021/143] HID: pantherlord: " Willy Tarreau
2014-05-12 0:32 ` [ 022/143] HID: LG: validate HID " Willy Tarreau
2014-05-12 0:32 ` [ 023/143] HID: check for NULL field when setting values Willy Tarreau
2014-05-12 0:32 ` [ 024/143] HID: provide a helper for validating hid reports Willy Tarreau
2014-05-12 0:32 ` [ 025/143] crypto: api - Fix race condition in larval lookup Willy Tarreau
2014-05-12 0:32 ` [ 026/143] ipv6: tcp: fix panic in SYN processing Willy Tarreau
2014-05-12 0:32 ` [ 027/143] tcp: must unclone packets before mangling them Willy Tarreau
2014-05-12 0:32 ` [ 028/143] net: do not call sock_put() on TIMEWAIT sockets Willy Tarreau
2014-05-12 0:32 ` [ 029/143] net: heap overflow in __audit_sockaddr() Willy Tarreau
2014-05-12 0:32 ` [ 030/143] proc connector: fix info leaks Willy Tarreau
2014-05-12 8:41 ` Christoph Biedl
2014-05-12 8:51 ` Mathias Krause
2014-05-12 8:57 ` Willy Tarreau
2014-05-12 11:43 ` Willy Tarreau
2014-05-12 14:42 ` David Miller
2014-05-12 0:32 ` [ 031/143] can: dev: fix nlmsg size calculation in can_get_size() Willy Tarreau
2014-05-12 0:32 ` [ 032/143] net: vlan: fix nlmsg size calculation in vlan_get_size() Willy Tarreau
2014-05-12 0:32 ` [ 033/143] farsync: fix info leak in ioctl Willy Tarreau
2014-05-12 0:32 ` [ 034/143] connector: use nlmsg_len() to check message length Willy Tarreau
2014-05-12 0:32 ` [ 035/143] net: dst: provide accessor function to dst->xfrm Willy Tarreau
2014-05-12 0:32 ` [ 036/143] sctp: Use software crc32 checksum when xfrm transform will happen Willy Tarreau
2014-05-12 0:32 ` [ 037/143] sctp: Perform software checksum if packet has to be fragmented Willy Tarreau
2014-05-12 0:32 ` [ 038/143] wanxl: fix info leak in ioctl Willy Tarreau
2014-05-12 0:32 ` [ 039/143] davinci_emac.c: Fix IFF_ALLMULTI setup Willy Tarreau
2014-05-12 0:32 ` [ 040/143] resubmit bridge: fix message_age_timer calculation Willy Tarreau
2014-05-12 0:32 ` [ 041/143] ipv6 mcast: use in6_dev_put in timer handlers instead of Willy Tarreau
2014-05-12 0:32 ` [ 042/143] ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put Willy Tarreau
2014-05-12 0:32 ` [ 043/143] dm9601: fix IFF_ALLMULTI handling Willy Tarreau
2014-05-12 0:32 ` [ 044/143] bonding: Fix broken promiscuity reference counting issue Willy Tarreau
2014-05-12 0:32 ` [ 045/143] ll_temac: Reset dma descriptors indexes on ndo_open Willy Tarreau
2014-05-12 0:32 ` [ 046/143] tcp: fix tcp_md5_hash_skb_data() Willy Tarreau
2014-05-12 0:32 ` [ 047/143] ipv6: fix possible crashes in ip6_cork_release() Willy Tarreau
2014-05-12 0:32 ` [ 048/143] ip_tunnel: fix kernel panic with icmp_dest_unreach Willy Tarreau
2014-05-12 0:32 ` [ 049/143] net: sctp: fix NULL pointer dereference in socket destruction Willy Tarreau
2014-05-12 0:32 ` [ 050/143] packet: packet_getname_spkt: make sure string is always 0-terminated Willy Tarreau
2014-05-12 0:32 ` [ 051/143] neighbour: fix a race in neigh_destroy() Willy Tarreau
2014-05-12 0:32 ` [ 052/143] net: Swap ver and type in pppoe_hdr Willy Tarreau
2014-05-12 0:32 ` [ 053/143] sunvnet: vnet_port_remove must call unregister_netdev Willy Tarreau
2014-05-12 0:32 ` [ 054/143] ifb: fix rcu_sched self-detected stalls Willy Tarreau
2014-05-12 0:32 ` [ 055/143] dummy: fix oops when loading the dummy failed Willy Tarreau
2014-05-12 0:32 ` [ 056/143] ifb: fix oops when loading the ifb failed Willy Tarreau
2014-05-12 0:32 ` [ 057/143] vlan: fix a race in egress prio management Willy Tarreau
2014-05-12 0:32 ` [ 058/143] arcnet: cleanup sizeof parameter Willy Tarreau
2014-05-12 0:32 ` [ 059/143] sysctl net: Keep tcp_syn_retries inside the boundary Willy Tarreau
2014-06-11 18:46 ` Luis Henriques
2014-06-11 19:46 ` Willy Tarreau
2014-06-12 12:55 ` Luis Henriques
2014-06-12 13:02 ` Willy Tarreau
2014-06-14 17:50 ` Willy Tarreau
2014-06-20 22:16 ` Eric W. Biederman
2014-06-20 22:58 ` Willy Tarreau
2014-06-21 0:19 ` Eric W. Biederman
2014-05-12 0:33 ` [ 060/143] sctp: fully initialize sctp_outq in sctp_outq_init Willy Tarreau
2014-05-12 0:33 ` [ 061/143] net_sched: Fix stack info leak in cbq_dump_wrr() Willy Tarreau
2014-05-12 0:33 ` [ 062/143] af_key: more info leaks in pfkey messages Willy Tarreau
2014-05-12 0:33 ` [ 063/143] net_sched: info leak in atm_tc_dump_class() Willy Tarreau
2014-05-12 0:33 ` [ 064/143] htb: fix sign extension bug Willy Tarreau
2014-05-12 0:33 ` [ 065/143] net: check net.core.somaxconn sysctl values Willy Tarreau
2014-05-12 0:33 ` [ 066/143] tcp: cubic: fix bug in bictcp_acked() Willy Tarreau
2014-05-12 0:33 ` [ 067/143] ipv6: dont stop backtracking in fib6_lookup_1 if subtree does not Willy Tarreau
2014-05-12 0:33 ` [ 068/143] ipv6: remove max_addresses check from ipv6_create_tempaddr Willy Tarreau
2014-05-12 0:33 ` [ 069/143] ipv6: drop packets with multiple fragmentation headers Willy Tarreau
2014-05-12 0:33 ` [ 070/143] ipv6: Dont depend on per socket memory for neighbour discovery Willy Tarreau
2014-05-12 0:33 ` [ 071/143] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO Willy Tarreau
2014-05-12 0:33 ` [ 072/143] tipc: fix lockdep warning during bearer initialization Willy Tarreau
2014-05-12 16:04 ` Jon Maloy
2014-05-12 16:16 ` Willy Tarreau
2014-05-12 16:41 ` Jon Maloy
2014-05-12 17:12 ` Willy Tarreau
2014-05-12 17:19 ` Jon Maloy
2014-05-12 18:11 ` Willy Tarreau
2014-05-12 0:33 ` [ 073/143] net: Fix "ip rule delete table 256" Willy Tarreau
2014-05-12 0:33 ` [ 074/143] ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv Willy Tarreau
2014-05-12 0:33 ` [ 075/143] random32: fix off-by-one in seeding requirement Willy Tarreau
2014-05-12 0:33 ` [ 076/143] bonding: fix two race conditions in bond_store_updelay/downdelay Willy Tarreau
2014-05-12 0:33 ` [ 077/143] isdnloop: use strlcpy() instead of strcpy() Willy Tarreau
2014-05-12 0:33 ` [ 078/143] ipv4: fix possible seqlock deadlock Willy Tarreau
2014-05-12 0:33 ` [ 079/143] inet: prevent leakage of uninitialized memory to user in recv Willy Tarreau
2014-05-12 0:33 ` [ 080/143] net: rework recvmsg handler msg_name and msg_namelen logic Willy Tarreau
2014-05-13 12:44 ` Luis Henriques
2014-05-13 12:49 ` Willy Tarreau
2014-05-14 5:45 ` Willy Tarreau
2014-05-12 0:33 ` [ 081/143] net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct Willy Tarreau
2014-05-12 0:33 ` [ 082/143] inet: fix addr_len/msg->msg_namelen assignment in recv_error and Willy Tarreau
2014-05-12 0:33 ` [ 083/143] net: clamp ->msg_namelen instead of returning an error Willy Tarreau
2014-05-14 10:02 ` Dan Carpenter
2014-05-14 12:27 ` Willy Tarreau
2014-05-12 0:33 ` [ 084/143] ipv6: fix leaking uninitialized port number of offender sockaddr Willy Tarreau
2014-05-12 0:33 ` [ 085/143] atm: idt77252: fix dev refcnt leak Willy Tarreau
2014-05-12 0:33 ` [ 086/143] net: core: Always propagate flag changes to interfaces Willy Tarreau
2014-05-12 0:33 ` [ 087/143] bridge: flush brs address entry in fdb when remove the bridge dev Willy Tarreau
2014-05-12 0:33 ` [ 088/143] inet: fix possible seqlock deadlocks Willy Tarreau
2014-05-12 0:33 ` [ 089/143] ipv6: fix possible seqlock deadlock in ip6_finish_output2 Willy Tarreau
2014-05-12 0:33 ` [ 090/143] {pktgen, xfrm} Update IPv4 header total len and checksum after Willy Tarreau
2014-05-12 0:33 ` [ 091/143] net: drop_monitor: fix the value of maxattr Willy Tarreau
2014-05-12 0:33 ` [ 092/143] net: unix: allow bind to fail on mutex lock Willy Tarreau
2014-05-12 0:33 ` [ 093/143] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() Willy Tarreau
2014-05-12 0:33 ` [ 094/143] hamradio/yam: fix info leak in ioctl Willy Tarreau
2014-05-12 0:33 ` [ 095/143] rds: prevent dereference of a NULL device Willy Tarreau
2014-05-12 0:33 ` [ 096/143] net: rose: restore old recvmsg behavior Willy Tarreau
2014-05-12 0:33 ` [ 097/143] net: llc: fix use after free in llc_ui_recvmsg Willy Tarreau
2014-05-12 0:33 ` [ 098/143] inet_diag: fix inet_diag_dump_icsk() timewait socket state logic Willy Tarreau
2014-05-12 0:33 ` [ 099/143] net: fix ip rule iif/oif device rename Willy Tarreau
2014-05-12 0:33 ` [ 100/143] tg3: Fix deadlock in tg3_change_mtu() Willy Tarreau
2014-05-12 0:33 ` [ 101/143] bonding: 802.3ad: make aggregator_identifier bond-private Willy Tarreau
2014-05-12 0:33 ` [ 102/143] net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode Willy Tarreau
2014-05-12 0:33 ` [ 103/143] virtio-net: alloc big buffers also when guest can receive UFO Willy Tarreau
2014-05-12 0:33 ` [ 104/143] tg3: Dont check undefined error bits in RXBD Willy Tarreau
2014-05-12 0:33 ` [ 105/143] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH Willy Tarreau
2014-05-12 0:33 ` [ 106/143] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Willy Tarreau
2014-05-12 0:33 ` [ 107/143] net: socket: error on a negative msg_namelen Willy Tarreau
2014-05-12 0:33 ` [ 108/143] netlink: dont compare the nul-termination in nla_strcmp Willy Tarreau
2014-05-12 0:33 ` [ 109/143] isdnloop: several buffer overflows Willy Tarreau
2014-05-12 0:33 ` [ 110/143] rds: prevent dereference of a NULL device in rds_iw_laddr_check Willy Tarreau
2014-05-12 0:33 ` [ 111/143] isdnloop: Validate NUL-terminated strings from user Willy Tarreau
2014-05-12 0:33 ` [ 112/143] sctp: unbalanced rcu lock in ip_queue_xmit() Willy Tarreau
2014-05-12 0:33 ` [ 113/143] aacraid: prevent invalid pointer dereference Willy Tarreau
2014-05-12 0:33 ` [ 114/143] ipv6: udp packets following an UFO enqueued packet need also be Willy Tarreau
2014-05-12 0:33 ` [ 115/143] inet: fix possible memory corruption with UDP_CORK and UFO Willy Tarreau
2014-05-12 0:33 ` [ 116/143] vm: add vm_iomap_memory() helper function Willy Tarreau
2014-05-12 0:33 ` [ 117/143] Fix a few incorrectly checked [io_]remap_pfn_range() calls Willy Tarreau
2014-05-12 0:33 ` [ 118/143] libertas: potential oops in debugfs Willy Tarreau
2014-05-12 0:33 ` [ 119/143] x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround Willy Tarreau
2014-05-12 0:34 ` [ 120/143] gianfar: disable TX vlan based on kernel 2.6.x Willy Tarreau
2014-05-12 0:34 ` [ 121/143] [CPUFREQ] powernow-k6: set transition latency value so ondemand Willy Tarreau
2014-05-12 0:34 ` [ 122/143] powernow-k6: disable cache when changing frequency Willy Tarreau
2014-05-12 0:34 ` [ 123/143] powernow-k6: correctly initialize default parameters Willy Tarreau
2014-05-12 0:34 ` [ 124/143] powernow-k6: reorder frequencies Willy Tarreau
2014-05-12 0:34 ` [ 125/143] tcp: fix tcp_trim_head() to adjust segment count with skb MSS Willy Tarreau
2014-05-12 0:34 ` [ 126/143] tcp_cubic: limit delayed_ack ratio to prevent divide error Willy Tarreau
2014-05-12 0:34 ` [ 127/143] tcp_cubic: fix the range of delayed_ack Willy Tarreau
2014-05-12 0:34 ` [ 128/143] n_tty: Fix n_tty_write crash when echoing in raw mode Willy Tarreau
2014-05-12 0:34 ` [ 129/143] exec/ptrace: fix get_dumpable() incorrect tests Willy Tarreau
2014-05-12 0:34 ` [ 130/143] ipv6: call udp_push_pending_frames when uncorking a socket with Willy Tarreau
2014-05-12 0:34 ` [ 131/143] dm snapshot: fix data corruption Willy Tarreau
2014-05-12 0:34 ` [ 132/143] crypto: ansi_cprng - Fix off by one error in non-block size request Willy Tarreau
2014-05-12 0:34 ` [ 133/143] uml: check length in exitcode_proc_write() Willy Tarreau
2014-05-12 0:34 ` [ 134/143] KVM: Improve create VCPU parameter (CVE-2013-4587) Willy Tarreau
2014-05-12 0:34 ` [ 135/143] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Willy Tarreau
2014-05-12 0:34 ` [ 136/143] qeth: avoid buffer overflow in snmp ioctl Willy Tarreau
2014-05-12 0:34 ` [ 137/143] xfs: underflow bug in xfs_attrlist_by_handle() Willy Tarreau
2014-05-13 11:08 ` Luis Henriques
2014-05-13 11:18 ` Willy Tarreau
2014-05-14 9:50 ` Dan Carpenter
2014-05-22 8:19 ` Dan Carpenter
2014-05-12 0:34 ` [ 138/143] aacraid: missing capable() check in compat ioctl Willy Tarreau
2014-05-12 0:34 ` [ 139/143] SELinux: Fix kernel BUG on empty security contexts Willy Tarreau
2014-05-12 0:34 ` [ 140/143] s390: fix kernel crash due to linkage stack instructions Willy Tarreau
2014-05-12 0:34 ` [ 141/143] netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages Willy Tarreau
2014-05-12 0:34 ` [ 142/143] floppy: ignore kernel-only members in FDRAWCMD ioctl input Willy Tarreau
2014-05-12 0:34 ` [ 143/143] floppy: dont write kernel-only members to FDRAWCMD ioctl output Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140512003201.177421105@1wt.eu \
--to=w@1wt.eu \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).